On Sat, 26 Jun 2004 05:42, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote: > But I'm not clear that vmware-config.pl should be labeled vmware_exec_t > at all (vs. bin_t). What is the advantage of running the configuration > script in vmware_t vs. sysadm_t? There are no type transition rules for > vmware_t (except for /var/run files), so it doesn't help keep the > configuration in the right type. Yes, vmware-config.pl should be labelled as bin_t (IE removed from vmware.fc). But that's a small issue compared to all the other vmware issues. We want to have support for multiple domains for vmware for different user roles, and the policy should be easily configurable for one user to be able to launch vmware in different domains for NetTop type stuff. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page